× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: e364d644063ba795b6e9db2172056ac1a1239231b56ab6c467b54ea01aba0c8e
File name: Wextract
Detection ratio: 2 / 72
Analysis date: 2019-04-13 01:59:54 UTC ( 6 days, 2 hours ago )
Antivirus Result Update
Bkav W32.HfsAdware.D3B2 20190412
eGambit not-a-virus:remoteAdmin.VNC.Variant 20190413
Acronis 20190412
Ad-Aware 20190413
AegisLab 20190413
AhnLab-V3 20190412
Alibaba 20190402
ALYac 20190413
Antiy-AVL 20190413
Arcabit 20190413
Avast 20190413
Avast-Mobile 20190412
AVG 20190412
Avira (no cloud) 20190412
Babable 20180918
Baidu 20190318
BitDefender 20190412
CAT-QuickHeal 20190412
ClamAV 20190412
CMC 20190321
Comodo 20190413
CrowdStrike Falcon (ML) 20190212
Cybereason 20190403
Cylance 20190413
Cyren 20190413
DrWeb 20190413
Emsisoft 20190413
Endgame 20190403
ESET-NOD32 20190413
F-Prot 20190413
F-Secure 20190413
FireEye 20190413
Fortinet 20190413
GData 20190413
Ikarus 20190412
Sophos ML 20190313
Jiangmin 20190413
K7AntiVirus 20190412
K7GW 20190413
Kaspersky 20190413
Kingsoft 20190413
Malwarebytes 20190413
MAX 20190413
McAfee 20190413
McAfee-GW-Edition 20190413
Microsoft 20190412
eScan 20190413
NANO-Antivirus 20190413
Palo Alto Networks (Known Signatures) 20190413
Panda 20190412
Qihoo-360 20190413
Rising 20190413
SentinelOne (Static ML) 20190407
Sophos AV 20190413
SUPERAntiSpyware 20190410
Symantec 20190412
Symantec Mobile Insight 20190410
TACHYON 20190413
Tencent 20190413
TheHacker 20190411
TotalDefense 20190412
Trapmine 20190325
TrendMicro 20190413
TrendMicro-HouseCall 20190413
Trustlook 20190413
VBA32 20190412
VIPRE 20190411
ViRobot 20190412
Webroot 20190413
Yandex 20190412
Zillya 20190412
ZoneAlarm by Check Point 20190413
Zoner 20190413
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
© Microsoft Corporation. All rights reserved.

Product Microsoft® Windows® Operating System
Original name WEXTRACT.EXE
Internal name Wextract
File version 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
Description Win32 Cabinet Self-Extractor
Signature verification Signed file, verified signature
Signing date 7:53 PM 10/17/2009
Signers
[+] ShowMyPC
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer UTN-USERFirst-Object
Valid from 12:00 AM 10/21/2008
Valid to 11:59 PM 10/21/2010
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint 001DCE34AA30753655400431F71F1BD0D249E88A
Serial number 35 2D EC 93 69 CF 55 0E 9D 2E FE 36 0B 04 D2 6E
[+] Sectigo (UTN Object)
Status Valid
Issuer UTN-USERFirst-Object
Valid from 06:31 PM 07/09/1999
Valid to 06:40 PM 07/09/2019
Valid usage EFS, Timestamp Signing, Code Signing
Algorithm sha1RSA
Thumbprint E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Serial number 44 BE 0C 8B 50 00 24 B4 11 D3 36 2D E0 B3 5F 1B
Counter signers
[+] VeriSign Time Stamping Services Signer - G2
Status This certificate or one of the certificates in the certificate chain is not time valid., The revocation status of the certificate or one of the certificates in the certificate chain is unknown., Error 65536 (0x10000), The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.
Issuer VeriSign Time Stamping Services CA
Valid from 12:00 AM 06/15/2007
Valid to 11:59 PM 06/14/2012
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE
Serial number 38 25 D7 FA F8 61 AF 9E F4 90 E7 26 B5 D6 5A D5
[+] VeriSign Time Stamping Services CA
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Thawte Timestamping CA
Valid from 01:00 AM 12/04/2003
Valid to 12:59 AM 12/04/2013
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D
Serial number 47 BF 19 95 DF 8D 52 46 43 F7 DB 6D 48 0D 31 A4
[+] Thawte Timestamping CA
Status Valid
Issuer Thawte Timestamping CA
Valid from 01:00 AM 01/01/1997
Valid to 12:59 AM 01/01/2021
Valid usage Timestamp Signing
Algorithm md5RSA
Thumbrint BE36A4562FB2EE05DBB3D32323ADF445084ED656
Serial number 00
Packers identified
F-PROT Unicode, UPX, SFX
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2004-08-04 06:01:37
Entry Point 0x0000645C
Number of sections 3
PE sections
Overlays
MD5 888cc209be0c841a600fd59691da81dd
File type data
Offset 1254912
Size 5528
Entropy 7.34
PE imports
GetTokenInformation
LookupPrivilegeValueA
RegCloseKey
OpenProcessToken
RegSetValueExA
FreeSid
RegQueryValueExA
AllocateAndInitializeSid
AdjustTokenPrivileges
EqualSid
RegCreateKeyExA
RegOpenKeyExA
RegDeleteValueA
RegQueryInfoKeyA
GetDeviceCaps
GetLastError
GetSystemTimeAsFileTime
DosDateTimeToFileTime
ReadFile
GetStartupInfoA
GetSystemInfo
lstrlenA
GetFileAttributesA
GlobalFree
WaitForSingleObject
LoadLibraryA
GetExitCodeProcess
QueryPerformanceCounter
MulDiv
ExitProcess
SetFileTime
GetVersionExA
GlobalUnlock
GetModuleFileNameA
IsDBCSLeadByte
GetShortPathNameA
FreeLibrary
GetCurrentProcess
GetVolumeInformationA
LoadLibraryExA
SizeofResource
GetCurrentDirectoryA
GetPrivateProfileStringA
WritePrivateProfileStringA
LocalAlloc
lstrcatA
GetPrivateProfileIntA
CreateDirectoryA
DeleteFileA
GetWindowsDirectoryA
UnhandledExceptionFilter
_llseek
GetCommandLineA
GlobalLock
EnumResourceLanguagesA
TerminateThread
GetTempPathA
CreateMutexA
GetModuleHandleA
_lclose
CreateThread
lstrcmpiA
SetFilePointer
lstrcmpA
FindFirstFileA
GetCurrentProcessId
CreateEventA
lstrcpyA
_lopen
CloseHandle
GetTempFileNameA
lstrcpynA
FindNextFileA
GetSystemDirectoryA
GetDiskFreeSpaceA
ExpandEnvironmentStringsA
FreeResource
SetFileAttributesA
SetEvent
LocalFree
FindResourceA
TerminateProcess
CreateProcessA
RemoveDirectoryA
SetUnhandledExceptionFilter
LockResource
LoadResource
WriteFile
GlobalAlloc
LocalFileTimeToFileTime
FindClose
FormatMessageA
GetTickCount
CreateFileA
GetDriveTypeA
GetCurrentThreadId
GetProcAddress
SetCurrentDirectoryA
ResetEvent
CharPrevA
EndDialog
ShowWindow
MessageBeep
SetWindowPos
SendDlgItemMessageA
GetSystemMetrics
GetWindowRect
DispatchMessageA
EnableWindow
SetDlgItemTextA
GetDlgItemTextA
MessageBoxA
PeekMessageA
SetWindowLongA
CharUpperA
GetDC
ReleaseDC
SetWindowTextA
GetWindowLongA
SendMessageA
GetDlgItem
wsprintfA
LoadStringA
CharNextA
GetDesktopWindow
CallWindowProcA
MsgWaitForMultipleObjects
SetForegroundWindow
ExitWindowsEx
DialogBoxIndirectParamA
GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA
Number of PE resources by type
RT_RCDATA 14
RT_ICON 12
RT_DIALOG 6
RT_STRING 6
RT_MESSAGETABLE 1
AVI 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 28
NEUTRAL 14
PE resources
Debug information
ExifTool file metadata
UninitializedDataSize
0

LinkerVersion
7.1

ImageVersion
5.1

FileSubtype
0

FileVersionNumber
6.0.2900.2180

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

FileDescription
Win32 Cabinet Self-Extractor

ImageFileCharacteristics
No relocs, Executable, No line numbers, No symbols, 32-bit

CharacterSet
Unicode

InitializedDataSize
1214464

EntryPoint
0x645c

OriginalFileName
WEXTRACT.EXE

MIMEType
application/octet-stream

LegalCopyright
Microsoft Corporation. All rights reserved.

FileVersion
6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

TimeStamp
2004:08:04 08:01:37+02:00

FileType
Win32 EXE

PEType
PE32

InternalName
Wextract

ProductVersion
6.00.2900.2180

SubsystemVersion
4.0

OSVersion
5.1

FileOS
Windows NT 32-bit

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Microsoft Corporation

CodeSize
39424

ProductName
Microsoft Windows Operating System

ProductVersionNumber
6.0.2900.2180

FileTypeExtension
exe

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
While monitoring an end-user machine in-the-wild, CarbonBlack noticed this sample wrote the following files to disk.
Execution parents
Compressed bundles
File identification
MD5 03503a9096e4343e38400278e26f0656
SHA1 3c8d1b1c061e9dbbd23e5d51ca101a1fd46a9dd1
SHA256 e364d644063ba795b6e9db2172056ac1a1239231b56ab6c467b54ea01aba0c8e
ssdeep
24576:ZQZD1zwB3zeT+Ryp63i54T+yzWo0e4eAktxH8wG34ad/E:uZ5zQeKUpzy5zWOUTJE

authentihash 57da52744ce220ad03af0a08382ef4bc42daa9a51b1dfd54b7dccd86a3c69648
imphash 0ebb3c09b06b1666d307952e824c8697
File size 1.2 MB ( 1260440 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 MS Cabinet Self-Extractor (WExtract stub) (79.9%)
Win32 Executable MS Visual C++ (generic) (8.2%)
Win64 Executable (generic) (7.2%)
Win32 Dynamic Link Library (generic) (1.7%)
Win32 Executable (generic) (1.1%)
Tags
peexe software-collection signed upx overlay

VirusTotal metadata
First submission 2009-10-18 02:30:23 UTC ( 9 years, 6 months ago )
Last submission 2018-08-25 07:13:27 UTC ( 7 months, 3 weeks ago )
File names vsg60d69.p7o
3c8d1b1c061e9dbbd23e5d51ca101a1fd46a9dd1.bin
ShowMyPCSSH.exe
ShowMyPC3010.exe
Ukaz moj PC.exe
3010.exe1
smona131407204737252752277
showmypc.exe
definitiva2.exe
SMP.EXE
718bb364987f1cda3b86131497b9c200a4e86e11.EXE
vs5l055g.159
vstl0fsg.1er
03503a9096e4343e38400278e26f0656
vs5l055g.14u
filename
istemci.exe
ShowMyPC3010.exe
showmypcssh.exe
vs3h00e3.h8m
Conexion%20con%20Alpes.exe
ShowMyPC.exe
A0173406.exe
ShowMyPC3010.exe.old
sample_3c8d1b1c061e9dbbd23e5d51ca101a1fd46a9dd1
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

Symantec reputation Suspicious.Insight
Behaviour characterization
Zemana
dll-injection

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!